Вы находитесь на странице: 1из 21

Area Type of setting Name

Authorizations Profile parameter auth/check/calltransaction

Authorizations Profile parameter auth/object_disabling_active

Authorizations Profile parameter auth/rfc_authority_check

Server infrastructure Profile parameter gw/reg_no_conn_info

Server infrastructure Profile parameter gw/rem_start

Logon & SSO Profile parameter icf/set_HTTPonly_flag_on_cookies

Monitoring &
Profile parameter icm/HTTP/logging_0
Logging

Monitoring &
Profile parameter icm/HTTP/logging_client_0
Logging

Monitoring &
Profile parameter icm/security_log
Logging
Logon & SSO Profile parameter login/disable_cpic

Logon & SSO Profile parameter login/password_downwards_compatibility

Logon & SSO Profile parameter login/password_hash_algorithm

Monitoring &
Profile parameter ms/HTTP/logging_0
Logging

Monitoring & Profile parameter ms/http_logging


Logging

Logon & SSO Profile parameter rdisp/gui_auto_logout

Business data
Profile parameter rdisp/vbdelete
integrity

RFC interface Profile parameter rfc/callback_security_method

RFC interface Profile parameter rfc/ext_debugging

Logon & SSO Profile parameter rfc/reject_expired_passwd


Monitoring &
Profile parameter wdisp/add_xforwardedfor_header
Logging

Monitoring &
Customizing Security Audit Log configuration
Logging
Storage

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL
DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL

DEFAULT.PFL
DEFAULT.PFL

RSAU_CONFIG
Description

Behaviour of authority check during call transaction: Controls how CALL TRANSACTION
statements in all programs react regarding missing entries in SE97 / table TCDCOUPLES. If not
set to 3, authorization checks are not properly enforced.

Enables to globally switch off authorization checks for selected authorization objects
(prerequisite for transaction AUTH_SWITCH_OBJECTS). If not set to "N", a global deactivation
would be possible.

Execution option for the RFC authority check: Controls the behaviour of enforced
authentication and authorization checks when RFC function modules are called from remote. If
not set to 6, an information disclosure vulnerability exists for unauthenticated users.

Specific security-related additional functions for the RFC gateway are activated depending on
which bits are set in this bitmask. If not set to 255, not all security checks may be properly
enforced in the RFC gateway.

This setting specifies with which method an RFC server might be started on OS level from an
external endpoint. If not set to "DISABLED", attempts to utilize an improper or even insecure
OS logon method (like RSH) might be possible.

This parameter is used to set the attribute HTTPonly for ICF cookies. If not set to 0, javascript
code running in the browser may inappropriately access sensitive cookies.

An access log can be created with this parameter in which accesses from the Intranet and
Internet are logged. If not set properly, important information may be missing in logs.

An access log can be created with this parameter in which outgoing ICM calls to the Intranet
and Internet are logged. If not set properly, important information may be missing in logs.

This parameter is used to control the output of the security log from the ICM and SAP Web
Dispatcher. If not set properly, important information may be missing in logs.
If this parameter is not set to 1, incoming connections of the type CPIC are not rejected.
Incoming connections of the type RFC are not affected.

This parameter is used to control whether the system stores password hashes also in an
obsolete, outdated format for compatibility reasons. If not set to 0, outdated hashes will be
maintained that can be easily cracked by adversaries that are able to access the password hash
storage tables.

The hash value calculation can be improved with this parameter to make dictionary and brute
force attacks more difficult.

This parameter is used to control the output of the log from the message server. If not set
properly, important information may be missing in logs.

This parameter is used to activate the log from the message server. If not set properly,
important information may be missing in logs.

Automatic user logoff after inactivity time is controlled with this setting. If not set, no auto
logout will accour, making access to applications by improper personnel more likely.

The parameter specifies the duration in days, after which an update request is deleted. At the
end of this period, the update requests are deleted irrespective of their status. If the
parameter has not value 0, update requests could potentially deleted that are still required by
the business to ensure the integrity of the data.

Permit or deny execution of RFC callbacks in accordance with configured whitelist and write
corresponding entry in Security Audit Log. If not set to 3, improper RFC callback attempts are
still allowed.

Activate external (HTTP) debugging for RFC. If not set to 0, debugging is possible.

Controls whether logon with expired or initial password via RFC is allowed or not. If not set to
1, users with a non-productive password are able to remotely call RFC function modules.
Enables the inclusion of the client IP address the HTTP X-Forwarded-For header. If not set to
"TRUE", hte client IP adrress will not be added, making the determination of request routes for
applications harder and reducing useful log information.

Configures an initial setup of the Security Audit Log. If not configured, the Security Audit Log
will not record any security events.
Relevant SAP Note New recommended value

515130 3

- N

2216306 6

2776748 255

2776748 DISABLED

1277022 0

PREFIX=/,LOGFILE=http_%y_
2788140 %m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month,
LOGFORMAT=%t %a %u1 \"%r\" %s %b %Lms %{Host}i %w1 %w2

PREFIX=/,LOGFILE=http_client_%y_
2788140 %m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month,
LOGFORMAT=%t %a %u1 \"%r\" %s %b %Lms %{Host}i

LOGFILE=dev_icm_sec_%y_
2788140
%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month
- 1

1023437 0

encoding=RFC2307,algorithm=iSSHA-
2140269
512,iterations=15000,saltsize=256

PREFIX=/,LOGFILE=$(DIR_LOGGING)/ms-http-%y-%m-%d.log
2794817 %o,MAXFILES=7,MAXSIZEKB=10000,SWITCHTF=day,LOGFORMAT=
%t %a %u %r %s %b %{Host}i

2794817 1

- 1H

2441606 0

2678501 3

668256 0

1591259 1
2788140 1

IF the Security Audit Log does not contain any active filters,
2838480
reommended filter settings as of SAP Note 2676384 are set up.
Impact to operations

In special cases, "jumps" from within one transaction into another


may fail due to missing authorizations.

The disabling of authorization objects is strictly forbidden. This


feature can no longer be used during operations.

In certain cases, dumps may occur in the system where interfaces


try to retrieve information without authentication. In SM59, when
calling certain functions like "Unicode test" for a destination without
a user, a logon will be prompted.

In very rare situations, connects from 3rd party systems to the RFC
gateway may fail. This will then affect interfaces requiring the 3rd
party service.

In very rare situations, connects from 3rd party systems to the RFC
gateway may fail. This will then affect interfaces requiring the 3rd
party service.

Custom coding may intentionally utilize access to cookies for


application operation. Such access will be blocked, possible
disrupting a seamsless user experience.

Logging functions will be enabled/enhanced. No impact other that


disc space consumption is expected. However, if a SIEM system is
active that consumes log entries, the corresponding interface may
be impacted.

Logging functions will be enabled/enhanced. No impact other that


disc space consumption is expected. However, if a SIEM system is
active that consumes log entries, the corresponding interface may
be impacted.

Logging functions will be enabled/enhanced. No impact other that


disc space consumption is expected. However, if a SIEM system is
active that consumes log entries, the corresponding interface may
be impacted.
Pure, native CPIC communication (which is obsolete) will no longer
work.

When running a central user administration (CUA) still making use of


outdated hashes, the CUA central system has to implement the
same technique. If this is not done properly, user password
distribution and logon may fail.

When running a central user administration (CUA), the CUA central


system has to implement the same technique. If this is not done
properly, user password distribution and logon may fail.

Logging functions will be enabled/enhanced. No impact other that


disc space consumption is expected. However, if a SIEM system is
active that consumes log entries, the corresponding interface may
be impacted.

Logging functions will be enabled/enhanced. No impact other that


disc space consumption is expected. However, if a SIEM system is
active that consumes log entries, the corresponding interface may
be impacted.

Dialog users will be logged off after one hour of inactivitiy. This may
impact long running processes that are rnu in the foreground.

Broken update requests may pile up and slow down the system in
the end if not handled in a timely manner.

Intended RFC callbacks (e.g. executed by custom coding) that are


not properly covered by RFC callback whitelisting in SM59 of calling
system (which receives the callback) will be denied. This then leads
to dumps and application disruption.

RFC debugging is fully disabled.

Handling of password setup and expiry for technical users may be


impacted. Interfaces may stop working of passwords are expired or
initial.
None.

Logging functions will be enabled/enhanced. No impact other that


disc space consumption is expected. However, if a SIEM system is
active that consumes log entries, the corresponding interface may
be impacted.
Mitigation of impact

Start transaction SE97 and maintain TCDCOUPLES accordingly to


allow transaction traversal.

Grant S_RFC authorization object for function group "SRFC" to


affected interface users and administrative staff.

Debug failure scenario and ask vendor of 3rd party interface to


improve RFC gateway connection mechanism.

Debug failure scenario and ask vendor of 3rd party interface to


improve RFC gateway connection mechanism.

Change coding of the application to not make use of ICF cookie


access from within javascript.

Monitor disk space properly. Adapt SIEM log consumer.

Monitor disk space properly. Adapt SIEM log consumer.

Monitor disk space properly. Adapt SIEM log consumer.


Change old CPIC interfaces to properly make use of standarf RFC
calls.

Handle CUA system first. Set the profile parameter to value 3 and
observe system behaviour in the system log, set new complex
password for affected users.

Handle CUA system first.

Monitor disk space properly. Adapt SIEM log consumer.

Monitor disk space properly. Adapt SIEM log consumer.

Create background jobs for long running processes.

Clean up update requests in SM13 frequently and adapt


application / system setup to avoid updater issues.

Monitor RFC callback attempts in Security Audit Log (SM19 /


RSAU_CONFIG) and maintain whitelist in SM59 on affected
destinations.

This is a dynamic parameter, if debugging is required, it can be


enabled (transaction RZ11).

Check password status in transaction SUIM, refresh affected


passwords/users.
-

Monitor disk space properly. Adapt SIEM log consumer.


Revert back method

Comment out profile parameter or set to value 2 (kernel default).

Comment out profile parameter or set to value Y (kernel default).

Comment out profile parameter or set to value 1 (kernel default).

Comment out profile parameter or set to value 1 (kernel default).

Comment out profile parameter.

Comment out profile parameter or set to value 3 (kernel default).

Comment out profile parameter.

Comment out profile parameter.

Comment out profile parameter.


Comment out profile parameter or set to value 0 (kernel default).

Comment out profile parameter or set to value 1 (kernel default).

Comment out profile parameter.

Comment out profile parameter.

Comment out profile parameter or set to value 0 (kernel default).

Comment out profile parameter or set to value 0 (kernel default).

Comment out profile parameter or set to value 50 (kernel default).

Comment out profile parameter or set to value 1 (kernel default).

Comment out profile parameter or set to value 3 (kernel default).

Comment out profile parameter or set to value 0 (kernel default).


Comment out profile parameter or set to value "FALSE" (kernel
default).

Delete new filter configuration in transaction RSAU_CONFIG.